Security Is a UI Problem

Balancing usability and security isn't an easy task, as evidenced by the number of systems with "security features" that are easy for users to turn off. David Chisnall discusses the issues on both sides of the fence.

Like this article? We recommend

Like this article? We recommend

There’s a saying that it’s very easy to secure a Windows
box—just unplug it. Behind this bit of humor is a serious point; namely,
that it’s very easy to make a secure system if you’re willing to
compromise functionality. A machine that doesn’t do anything is by nature
very secure. The problem that faces software developers is how to balance
usability with security.

A Tale of Two Security Models

Many people argue that UNIX is more secure than Windows. When pressed,
however, they find it very hard to point at vulnerabilities in the NT kernel.
Indeed, on paper the Windows security model is obviously superior; every object
has an associated access control list, and this list is checked by the kernel on
every access.

The UNIX model, in contrast, is much more primitive. Only files have any kind
of access control (although, in fairness, most things on a UNIX system do tend
to be files), which just have user, group, and everyone permissions. There are
only two levels of security:

Users can do whatever root allows them to do.

Root can do anything.

Experience suggest that the simpler model provides greater security, but this
isn’t always the case. VMS,
for example, has both a complex fine-grained security model and a superb
reputation for security. The difference between VMS and Windows is that VMS
machines tend to be run by people with a huge amount of experience tuning and
configuring VMS. If a large proportion of your job is understanding a particular
security model, then you’re probably going to be quite good at ensuring
that that system is secure. In contrast, a large number of Windows machines are
home machines run by people with little or no computing experience, or in small
companies with no dedicated IT staff. Where VMS users configure their security
policies carefully, Windows users simply turn off the security measures because
they’re too complicated to get right.

Perhaps the same criticism can be leveled at UNIX. To make the comparison
fair, let’s look at Mac OS X. Built on a UNIX kernel (although not a
particularly traditional one in many ways), OS X inherits the UNIX security
model. In OS X, a user encounters no system interference for 90% of the things
that he or she might need to do on an everyday basis. For other activities, such
as installing updates, the user is prompted to enter a password. In other words,
the security system keeps out of the user’s way most of the time.